Feds Target Phishers
Government fraud-busters have stepped up their attacks against phishing and online identity theft. Does it matter?
Online swindles have generated plenty of headlines, and so did the Federal Trade Commission last month when it struck back at the scammers. On June 17, FTC officials trumpeted a joint effort with Visa International, the Better Business Bureau, and others to warn of the perils online identity theft. The same day, the agency announced its first law-enforcement settlement for “phishing.” Phishers are online scammers who pose as representatives of legitimate businessesin this case it was eBay and America Onlineand persuade e-mail users to divulge personal financial details.
Do the FTC’s actions make a difference in the war against consumer fraud? Consumer advocates credit the agency’s clout and newsmaking skills for reaching the public on a national scale. “It definitely raises awareness,” says Shelley Curran, a policy analyst for the west coast office of Consumers Union, publisher of Consumer Reports magazine. “Whenever a government agency steps up and starts making an issue higher profile, it has impact.” But even as President Bush signed a bill last week that sets minimum penalties for phishing and other forms of identity theft, consumer advocates say that phishing has become such an insidious scam that the most meaningful measures to protect the public will need to come from broad-based coalitions. So far, they say, most actions are falling short.
The FTC’s actions in June were classic agency one-two punch, says attorney James Kaminski of the Washington, D.C., law firm Arent Fox. “Not only were people prosecuted,” says Kaminski, “but it was on the nightly news.”
It’s grand schemes such as that onewhich netted 473 credit-card numbersthat put phishers on the FTC radar, says Kaminski, who spent three years prosecuting federal deceptive-practice cases as an attorney for the agency. “This scam was national in scope, and it involved financial information,” he says. “It was a natural target for the FTC. Had it been small or limited in geographic scope, the FTC might not have been as interested.”
According to the FTC, 42 percent of all complaints filed with the agency in 2003a total of almost 215,000 reportspertained to identity theft. And the Anti-Phishing Working Group, an industry organization, reports that there were 176 unique phishing attacks reported to it in January 2004. For the month of May, the number soared to 1,197.
Consumer groups applaud the headlines but fault the FTC for not taking a more active stand in consumers’ defense. For example, the FTC’s home page includes an “ID Theft” button under its Hot Topics heading; it links to several pages of details, including an informational page on phishing. To Beth Givens, director of the Privacy Rights Clearinghouse in San Diego, such passive warnings aren’t enough. Givens says the FTC website would be far more useful if it included, among other things, sample phishing pitches so consumers could better appreciate how real-looking the cons appear.
With phishing scams growing more sophisticated by the day, the FTC represents just one avenue to combat the scams. Even more aggressive outreach is needed by the financial institutions that have become frequent phishing targets, says Linda Sherry, editorial director for Consumer Action, a San Francisco-based organization that offers education and advocacy in such fields as credit, banking, privacy, and insurance. Sherry suggests that banks program their ATMs to include brief onscreen messages about phishing that customers would be required to read before completing their transaction. “They certainly don’t mind doing that when they’re trying to sell you something,” she says.
Some banks are starting to take actionand not a moment too soon. The Anti-Phishing Working Group counts 370 phishing attacks in May using the Citibank name, making it the most used brand name in phishing scams. So it’s no wonder that the banking giant’s website now features a prominent link to a listing of e-mail scams using the Citibank name. The list includes 37 sample e-mailsand that’s just from April to Julyas well as a link to report receiving one.
Consumer groups cheer such actions as well as the formation of cross-industry groups committed to stamp out phishing, such as the Trusted Electronic Communications Forum that formed in June to devise technical solutions to phishing. The scams are pernicious enough, consumer advocates say, to demand a concerted effort of government agencies, industry, and banking organizations.
But “to reach consumers today,” says Givens, “you have to be very, very creative.” Generic mass-mailings, such as warnings stuffed into envelopes along with monthly statements, just won’t cut it. More appropriate tactics against phishers’ slick offerings, says Givens, are targeted, in-your-face efforts. She suggests that a partnership of government, industry, and financial organizations could mount its own faux phishing scamone that, when clicked on, reveals the words, “you’ve been had.”
As the FTC has learned, such targeted messages are good for the fraud business.
Become an MIT Technology Review Insider for in-depth analysis and unparalleled perspective.Subscribe today